Commit Message

Root in a non-initial user ns cannot be trusted to write a traditional
security.capability xattr. If it were allowed to do so, then any
unprivileged user on the host could map his own uid to root in a private
namespace, write the xattr, and execute the file with privilege on the
host.
However supporting file capabilities in a user namespace is very
desirable. Not doing so means that any programs designed to run with
limited privilege must continue to support other methods of gaining and
dropping privilege. For instance a program installer must detect
whether file capabilities can be assigned, and assign them if so but set
setuid-root otherwise. The program in turn must know how to drop
partial capabilities, and do so only if setuid-root.
This patch introduces v3 of the security.capability xattr. It builds a
vfs_ns_cap_data struct by appending a uid_t rootid to struct
vfs_cap_data. This is the absolute uid_t (that is, the uid_t in user
namespace which mounted the filesystem, usually init_user_ns) of the
root id in whose namespaces the file capabilities may take effect.
When a task asks to write a v2 security.capability xattr, if it is
privileged with respect to the userns which mounted the filesystem, then
nothing should change. Otherwise, the kernel will transparently rewrite
the xattr as a v3 with the appropriate rootid. This is done during the
execution of setxattr() to catch user-space-initiated capability writes.
Subsequently, any task executing the file which has the noted kuid as
its root uid, or which is in a descendent user_ns of such a user_ns,
will run the file with capabilities.
Similarly when asking to read file capabilities, a v3 capability will
be presented as v2 if it applies to the caller's namespace.
If a task writes a v3 security.capability, then it can provide a uid for
the xattr so long as the uid is valid in its own user namespace, and it
is privileged with CAP_SETFCAP over its namespace. The kernel will
translate that rootid to an absolute uid, and write that to disk. After
this, a task in the writer's namespace will not be able to use those
capabilities (unless rootid was 0), but a task in a namespace where the
given uid is root will.
Only a single security.capability xattr may exist at a time for a given
file. A task may overwrite an existing xattr so long as it is
privileged over the inode. Note this is a departure from previous
semantics, which required privilege to remove a security.capability
xattr. This check can be re-added if deemed useful.
This allows a simple setxattr to work, allows tar/untar to work, and
allows us to tar in one namespace and untar in another while preserving
the capability, without risking leaking privilege into a parent
namespace.
Example using tar:
$ cp /bin/sleep sleepx
$ mkdir b1 b2
$ lxc-usernsexec -m b:0:100000:1 -m b:1:$(id -u):1 -- chown 0:0 b1
$ lxc-usernsexec -m b:0:100001:1 -m b:1:$(id -u):1 -- chown 0:0 b2
$ lxc-usernsexec -m b:0:100000:1000 -- tar --xattrs-include=security.capability --xattrs -cf b1/sleepx.tar sleepx
$ lxc-usernsexec -m b:0:100001:1000 -- tar --xattrs-include=security.capability --xattrs -C b2 -xf b1/sleepx.tar
$ lxc-usernsexec -m b:0:100001:1000 -- getcap b2/sleepx
b2/sleepx = cap_sys_admin+ep
# /opt/ltp/testcases/bin/getv3xattr b2/sleepx
v3 xattr, rootid is 100001
A patch to linux-test-project adding a new set of tests for this
functionality is in the nsfscaps branch at github.com/hallyn/ltp
Changelog:
Nov 02 2016: fix invalid check at refuse_fcap_overwrite()
Nov 07 2016: convert rootid from and to fs user_ns
(From ebiederm: mar 28 2017)
commoncap.c: fix typos - s/v4/v3
get_vfs_caps_from_disk: clarify the fs_ns root access check
nsfscaps: change the code split for cap_inode_setxattr()
Apr 09 2017:
don't return v3 cap for caps owned by current root.
return a v2 cap for a true v2 cap in non-init ns
Apr 18 2017:
. Change the flow of fscap writing to support s_user_ns writing.
. Remove refuse_fcap_overwrite(). The value of the previous
xattr doesn't matter.
Apr 24 2017:
. incorporate Eric's incremental diff
. move cap_convert_nscap to setxattr and simplify its usage
May 8, 2017:
. fix leaking dentry refcount in cap_inode_getsecurity
Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
fs/xattr.c | 6 +
include/linux/capability.h | 2 +
include/linux/security.h | 2 +
include/uapi/linux/capability.h | 22 +++-
security/commoncap.c | 270 +++++++++++++++++++++++++++++++++++++---
5 files changed, 280 insertions(+), 22 deletions(-)

Hi Stefan,
On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote:
> On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:> > Root in a non-initial user ns cannot be trusted to write a traditional> > security.capability xattr. If it were allowed to do so, then any> > unprivileged user on the host could map his own uid to root in a private> > namespace, write the xattr, and execute the file with privilege on the> > host.> > > > However supporting file capabilities in a user namespace is very> > desirable. Not doing so means that any programs designed to run with> > limited privilege must continue to support other methods of gaining and> > dropping privilege. For instance a program installer must detect> > whether file capabilities can be assigned, and assign them if so but set> > setuid-root otherwise. The program in turn must know how to drop> > partial capabilities, and do so only if setuid-root.> > Hi Serge,> > > I have been looking at patch below primarily to learn how we could apply a> similar technique to security.ima and security.evm for a namespaced IMA.> From the paragraphs above I thought that you solved the problem of a shared> filesystem where one now can write different security.capability xattrs by> effectively supporting for example security.capability[uid=1000] and> security.capability[uid=2000] written into the filesystem. Each would then> become visible as security.capability if the userns mapping is set> appropriately.
One disadvantage of this approach is that whoever is setting up the
container would need to go touch the security.ima attribute for each
file in the contianer, which would slow down container creation time.
For capabilities this makes sense, because you might want the file to
have different capabilities in different namespaces, but for IMA,
since the file hash will be the same in every namespace, it would be
nice to use a design that avoids touching each file on new ns
creation.
Cheers,
Tycho

Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):
> On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:> >Root in a non-initial user ns cannot be trusted to write a traditional> >security.capability xattr. If it were allowed to do so, then any> >unprivileged user on the host could map his own uid to root in a private> >namespace, write the xattr, and execute the file with privilege on the> >host.> >> >However supporting file capabilities in a user namespace is very> >desirable. Not doing so means that any programs designed to run with> >limited privilege must continue to support other methods of gaining and> >dropping privilege. For instance a program installer must detect> >whether file capabilities can be assigned, and assign them if so but set> >setuid-root otherwise. The program in turn must know how to drop> >partial capabilities, and do so only if setuid-root.> > Hi Serge,> > > I have been looking at patch below primarily to learn how we could> apply a similar technique to security.ima and security.evm for a> namespaced IMA. From the paragraphs above I thought that you solved> the problem of a shared filesystem where one now can write different> security.capability xattrs by effectively supporting for example> security.capability[uid=1000] and security.capability[uid=2000]> written into the filesystem. Each would then become visible as> security.capability if the userns mapping is set appropriately.> However, this doesn't seem to be how it is implemented. There seems> to be only a single such entry with uid appended to it and, if it> was a shared filesystem, the first one to set this attribute blocks> everyone else from writing the xattr. Is that how it works? Would
Yes, that's how this works here. I'd considered allowing multiple
entries, but I didn't feel that was needed for this case. In a previous
implementation (which is probably in the lkml archives somewhere) I
supported variable length xattr so that multiple containers could
each write a value tagged with their own userns.rootid. Instead,
in the final version, if root in any parent container writes an
xattr, it will take effect in child user namespaces. Which is
sensible - the parent presumbly laid out the filesystem to create
the child container.
> that work differently with an overlay filesystem ? I think a similar
Certainly an overlay filesystem should be an easy case as the container
can have its own copy of the inode with its own xattr. Btrfs/zfs
would be nicer as the whole file wouldn't need to be copied.
> model could also work for IMA, but maybe you have some thoughts. The> only thing I would be concerned about is blocking the parent> container's root user from setting an xattr.
So if you have container c1 creating child container c2 on host h1,
then if c1 creates an xattr, can c2 not use that? And if h1 writes it,
can c1 and c2 use it?
If they can't, then I guess for IMA multiple xattrs would need to be
supported.
-serge

On 06/13/2017 01:14 PM, Tycho Andersen wrote:
> Hi Stefan,>> On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote:>> On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:>>> Root in a non-initial user ns cannot be trusted to write a traditional>>> security.capability xattr. If it were allowed to do so, then any>>> unprivileged user on the host could map his own uid to root in a private>>> namespace, write the xattr, and execute the file with privilege on the>>> host.>>>>>> However supporting file capabilities in a user namespace is very>>> desirable. Not doing so means that any programs designed to run with>>> limited privilege must continue to support other methods of gaining and>>> dropping privilege. For instance a program installer must detect>>> whether file capabilities can be assigned, and assign them if so but set>>> setuid-root otherwise. The program in turn must know how to drop>>> partial capabilities, and do so only if setuid-root.>> Hi Serge,>>>>>> I have been looking at patch below primarily to learn how we could apply a>> similar technique to security.ima and security.evm for a namespaced IMA.>> From the paragraphs above I thought that you solved the problem of a shared>> filesystem where one now can write different security.capability xattrs by>> effectively supporting for example security.capability[uid=1000] and>> security.capability[uid=2000] written into the filesystem. Each would then>> become visible as security.capability if the userns mapping is set>> appropriately.> One disadvantage of this approach is that whoever is setting up the> container would need to go touch the security.ima attribute for each> file in the contianer, which would slow down container creation time.> For capabilities this makes sense, because you might want the file to> have different capabilities in different namespaces, but for IMA,> since the file hash will be the same in every namespace, it would be> nice to use a design that avoids touching each file on new ns> creation.
Actually IMA in appraisal mode also supports signatures in the extended
attributes. Depending on which (public) keys you put on the IMA keyring
for a namespaced IMA, you may need a different signature on a file to be
able to access it (execute it for example). For this to work containers
would have to be able to ship with security.ima xattrs embedded in them
and users should be able to apply signatures on files on a running
container (or while building it). I worked on a prototype for namespaces
IMA before where one of the issues was the CAP_SYS_ADMIN gate that
disallows setting of security.ima when dropped. So some form of
exception would have to be granted to be allowed to set security.ima
from inside a container while CAP_SYS_ADMIN isn't there. And of course
we need to protect the host's filesystem from an attack where the user
just modifies the security.ima signature associated with a file.
Stefan
> Cheers,>> Tycho>

On Tue, 2017-06-13 at 11:14 -0600, Tycho Andersen via Containers wrote:
> Hi Stefan,> > On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote:> > On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:> > > Root in a non-initial user ns cannot be trusted to write a > > > traditional security.capability xattr. If it were allowed to do > > > so, then any unprivileged user on the host could map his own uid > > > to root in a private namespace, write the xattr, and execute the > > > file with privilege on the host.> > > > > > However supporting file capabilities in a user namespace is very> > > desirable. Not doing so means that any programs designed to run > > > with limited privilege must continue to support other methods of> > > gaining and dropping privilege. For instance a program installer > > > must detect whether file capabilities can be assigned, and assign > > > them if so but set setuid-root otherwise. The program in turn > > > must know how to drop partial capabilities, and do so only if> > > setuid-root.> > > > Hi Serge,> > > > > > I have been looking at patch below primarily to learn how we > > could apply a similar technique to security.ima and security.evm > > for a namespaced IMA. From the paragraphs above I thought that you > > solved the problem of a shared filesystem where one now can write > > different security.capability xattrs by effectively supporting for > > example security.capability[uid=1000] and> > security.capability[uid=2000] written into the filesystem. Each> > would then become visible as security.capability if the userns > > mapping is set appropriately.> > One disadvantage of this approach is that whoever is setting up the> container would need to go touch the security.ima attribute for each> file in the contianer, which would slow down container creation time.> For capabilities this makes sense, because you might want the file to> have different capabilities in different namespaces, but for IMA,> since the file hash will be the same in every namespace,
Actually, this isn't necessarily true: IMA may have the hash, you're
right, but I suspect in most container use cases it will have the
signature. It's definitely a use case that the container will be using
a different keyring from the host, so different signatures are surely
possible for the same underlying image file.
One might imagine doing the above via overlays, because the new
signature should override the old.
James
> it would be nice to use a design that avoids touching each file on > new ns creation.

On 06/13/2017 01:18 PM, Serge E. Hallyn wrote:
> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>> On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:>>> Root in a non-initial user ns cannot be trusted to write a traditional>>> security.capability xattr. If it were allowed to do so, then any>>> unprivileged user on the host could map his own uid to root in a private>>> namespace, write the xattr, and execute the file with privilege on the>>> host.>>>>>> However supporting file capabilities in a user namespace is very>>> desirable. Not doing so means that any programs designed to run with>>> limited privilege must continue to support other methods of gaining and>>> dropping privilege. For instance a program installer must detect>>> whether file capabilities can be assigned, and assign them if so but set>>> setuid-root otherwise. The program in turn must know how to drop>>> partial capabilities, and do so only if setuid-root.>> Hi Serge,>>>>>> I have been looking at patch below primarily to learn how we could>> apply a similar technique to security.ima and security.evm for a>> namespaced IMA. From the paragraphs above I thought that you solved>> the problem of a shared filesystem where one now can write different>> security.capability xattrs by effectively supporting for example>> security.capability[uid=1000] and security.capability[uid=2000]>> written into the filesystem. Each would then become visible as>> security.capability if the userns mapping is set appropriately.>> However, this doesn't seem to be how it is implemented. There seems>> to be only a single such entry with uid appended to it and, if it>> was a shared filesystem, the first one to set this attribute blocks>> everyone else from writing the xattr. Is that how it works? Would> Yes, that's how this works here. I'd considered allowing multiple> entries, but I didn't feel that was needed for this case. In a previous> implementation (which is probably in the lkml archives somewhere) I> supported variable length xattr so that multiple containers could> each write a value tagged with their own userns.rootid. Instead,> in the final version, if root in any parent container writes an> xattr, it will take effect in child user namespaces. Which is> sensible - the parent presumbly laid out the filesystem to create> the child container.>>> that work differently with an overlay filesystem ? I think a similar> Certainly an overlay filesystem should be an easy case as the container> can have its own copy of the inode with its own xattr. Btrfs/zfs> would be nicer as the whole file wouldn't need to be copied.>>> model could also work for IMA, but maybe you have some thoughts. The>> only thing I would be concerned about is blocking the parent>> container's root user from setting an xattr.> So if you have container c1 creating child container c2 on host h1,> then if c1 creates an xattr, can c2 not use that? And if h1 writes it,> can c1 and c2 use it?
In the case of IMA appraisal the extended attribute security.ima would
be a signature. For c1 and c2 to use that file they would all have to
have the same key on their (isolated IMA namespace ) keyring. I think
this type of setup could be arranged.
Following your attack description in the introduction I would say that
we would want to prevent malicious modification of a security.ima
extended attribute:
"Root in a non-initial user ns cannot be trusted to write a traditional security.ima xattr. If it were allowed to do so, then any unprivileged user on the host could map his own uid to root in a private namespace, write the signature in the security.ima xattr, and prevent the file from being accessible on the host."
>> If they can't, then I guess for IMA multiple xattrs would need to be> supported.
I am not sure about that. I suppose any extended attribute modifications
would have to be designed for the case where a shared filesystem is used
that also shares the extended attributes, not assuming an overlay
filesystem that automatically isolates the extend attributes. With the
shared filesystem I'd like to prevent any type of setting of extended
attributes by a child container or more generally anyone mounting it as
a '2nd consumer', which would make it a shared filesystem. Only the
process that mounts a filesystem as the '1st consumer' would be able to
set the extended attributes. I am assuming that using an overlay fs
would always make you the '1st consumer' -- I would hope that these
conditions could be detected. And probably the process should also write
along its host uid as part of writing out the xattr. If all extended
attributes were to support this model, maybe the 'uid' could be
associated with the 'name' of the xattr rather than its 'value' (not
sure whether that's possible).
Stefan
>> -serge>

On Tue, Jun 13, 2017 at 10:45:02AM -0700, James Bottomley wrote:
> On Tue, 2017-06-13 at 11:14 -0600, Tycho Andersen via Containers wrote:> > Hi Stefan,> > > > On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote:> > > On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:> > > > Root in a non-initial user ns cannot be trusted to write a > > > > traditional security.capability xattr. If it were allowed to do > > > > so, then any unprivileged user on the host could map his own uid > > > > to root in a private namespace, write the xattr, and execute the > > > > file with privilege on the host.> > > > > > > > However supporting file capabilities in a user namespace is very> > > > desirable. Not doing so means that any programs designed to run > > > > with limited privilege must continue to support other methods of> > > > gaining and dropping privilege. For instance a program installer > > > > must detect whether file capabilities can be assigned, and assign > > > > them if so but set setuid-root otherwise. The program in turn > > > > must know how to drop partial capabilities, and do so only if> > > > setuid-root.> > > > > > Hi Serge,> > > > > > > > > I have been looking at patch below primarily to learn how we > > > could apply a similar technique to security.ima and security.evm > > > for a namespaced IMA. From the paragraphs above I thought that you > > > solved the problem of a shared filesystem where one now can write > > > different security.capability xattrs by effectively supporting for > > > example security.capability[uid=1000] and> > > security.capability[uid=2000] written into the filesystem. Each> > > would then become visible as security.capability if the userns > > > mapping is set appropriately.> > > > One disadvantage of this approach is that whoever is setting up the> > container would need to go touch the security.ima attribute for each> > file in the contianer, which would slow down container creation time.> > For capabilities this makes sense, because you might want the file to> > have different capabilities in different namespaces, but for IMA,> > since the file hash will be the same in every namespace,> > Actually, this isn't necessarily true: IMA may have the hash, you're> right, but I suspect in most container use cases it will have the> signature. It's definitely a use case that the container will be using> a different keyring from the host, so different signatures are surely> possible for the same underlying image file.> > One might imagine doing the above via overlays, because the new> signature should override the old.
Yes, good point, thanks. Assuming the container and the host are using
the same keyring, we could design it in such a way that the container
engine doesn't need to touch every file on creation, which would be
very nice.
Tycho

On 06/13/2017 04:46 PM, Tycho Andersen wrote:
> On Tue, Jun 13, 2017 at 10:45:02AM -0700, James Bottomley wrote:>> On Tue, 2017-06-13 at 11:14 -0600, Tycho Andersen via Containers wrote:>>> Hi Stefan,>>>>>> On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote:>>>> On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:>>>>> Root in a non-initial user ns cannot be trusted to write a>>>>> traditional security.capability xattr. If it were allowed to do>>>>> so, then any unprivileged user on the host could map his own uid>>>>> to root in a private namespace, write the xattr, and execute the>>>>> file with privilege on the host.>>>>>>>>>> However supporting file capabilities in a user namespace is very>>>>> desirable. Not doing so means that any programs designed to run>>>>> with limited privilege must continue to support other methods of>>>>> gaining and dropping privilege. For instance a program installer>>>>> must detect whether file capabilities can be assigned, and assign>>>>> them if so but set setuid-root otherwise. The program in turn>>>>> must know how to drop partial capabilities, and do so only if>>>>> setuid-root.>>>> Hi Serge,>>>>>>>>>>>> I have been looking at patch below primarily to learn how we>>>> could apply a similar technique to security.ima and security.evm>>>> for a namespaced IMA. From the paragraphs above I thought that you>>>> solved the problem of a shared filesystem where one now can write>>>> different security.capability xattrs by effectively supporting for>>>> example security.capability[uid=1000] and>>>> security.capability[uid=2000] written into the filesystem. Each>>>> would then become visible as security.capability if the userns>>>> mapping is set appropriately.>>> One disadvantage of this approach is that whoever is setting up the>>> container would need to go touch the security.ima attribute for each>>> file in the contianer, which would slow down container creation time.>>> For capabilities this makes sense, because you might want the file to>>> have different capabilities in different namespaces, but for IMA,>>> since the file hash will be the same in every namespace,>> Actually, this isn't necessarily true: IMA may have the hash, you're>> right, but I suspect in most container use cases it will have the>> signature. It's definitely a use case that the container will be using>> a different keyring from the host, so different signatures are surely>> possible for the same underlying image file.>>>> One might imagine doing the above via overlays, because the new>> signature should override the old.> Yes, good point, thanks. Assuming the container and the host are using> the same keyring, we could design it in such a way that the container> engine doesn't need to touch every file on creation, which would be> very nice.
I don't think this will be the general case. The host may be Ubuntu, the
guest could be Fedora and you'll have different keys. I don't think you
would want the container keys on the host keyring.
Stefan
>> Tycho>

On Tue, Jun 13, 2017 at 01:42:24PM -0400, Stefan Berger wrote:
> On 06/13/2017 01:14 PM, Tycho Andersen wrote:> > Hi Stefan,> > > > On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote:> > > On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:> > > > Root in a non-initial user ns cannot be trusted to write a traditional> > > > security.capability xattr. If it were allowed to do so, then any> > > > unprivileged user on the host could map his own uid to root in a private> > > > namespace, write the xattr, and execute the file with privilege on the> > > > host.> > > > > > > > However supporting file capabilities in a user namespace is very> > > > desirable. Not doing so means that any programs designed to run with> > > > limited privilege must continue to support other methods of gaining and> > > > dropping privilege. For instance a program installer must detect> > > > whether file capabilities can be assigned, and assign them if so but set> > > > setuid-root otherwise. The program in turn must know how to drop> > > > partial capabilities, and do so only if setuid-root.> > > Hi Serge,> > > > > > > > > I have been looking at patch below primarily to learn how we could apply a> > > similar technique to security.ima and security.evm for a namespaced IMA.> > > From the paragraphs above I thought that you solved the problem of a shared> > > filesystem where one now can write different security.capability xattrs by> > > effectively supporting for example security.capability[uid=1000] and> > > security.capability[uid=2000] written into the filesystem. Each would then> > > become visible as security.capability if the userns mapping is set> > > appropriately.> > One disadvantage of this approach is that whoever is setting up the> > container would need to go touch the security.ima attribute for each> > file in the contianer, which would slow down container creation time.> > For capabilities this makes sense, because you might want the file to> > have different capabilities in different namespaces, but for IMA,> > since the file hash will be the same in every namespace, it would be> > nice to use a design that avoids touching each file on new ns> > creation.> > Actually IMA in appraisal mode also supports signatures in the extended> attributes. Depending on which (public) keys you put on the IMA keyring for> a namespaced IMA, you may need a different signature on a file to be able to> access it (execute it for example). For this to work containers would have> to be able to ship with security.ima xattrs embedded in them and users> should be able to apply signatures on files on a running container (or while> building it).
Yes, we will definitely support shipping images with the security.ima
xattrs set when namespaced support is available in the kernel.
> I worked on a prototype for namespaces IMA before where one of> the issues was the CAP_SYS_ADMIN gate that disallows setting of security.ima> when dropped. So some form of exception would have to be granted to be> allowed to set security.ima from inside a container while CAP_SYS_ADMIN> isn't there. And of course we need to protect the host's filesystem from an> attack where the user just modifies the security.ima signature associated> with a file.
At least initially, I think it would be fine to require
capable(CAP_SYS_ADMIN); right now the container engine is the one
responsible for setting up the container's rootfs (via downloading an
image and extracting it), and these typically run as root.
Eventually it would be great to relax this, because
"unprivileged/rootless" containers are a thing people are interested
in, but as a first cut I'm not sure it's necessary.
Cheers, and thanks for looking at this!
Tycho

On Tue, Jun 13, 2017 at 04:49:03PM -0400, Stefan Berger wrote:
> On 06/13/2017 04:46 PM, Tycho Andersen wrote:> > On Tue, Jun 13, 2017 at 10:45:02AM -0700, James Bottomley wrote:> > > On Tue, 2017-06-13 at 11:14 -0600, Tycho Andersen via Containers wrote:> > > > Hi Stefan,> > > > > > > > On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote:> > > > > On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:> > > > > > Root in a non-initial user ns cannot be trusted to write a> > > > > > traditional security.capability xattr. If it were allowed to do> > > > > > so, then any unprivileged user on the host could map his own uid> > > > > > to root in a private namespace, write the xattr, and execute the> > > > > > file with privilege on the host.> > > > > > > > > > > > However supporting file capabilities in a user namespace is very> > > > > > desirable. Not doing so means that any programs designed to run> > > > > > with limited privilege must continue to support other methods of> > > > > > gaining and dropping privilege. For instance a program installer> > > > > > must detect whether file capabilities can be assigned, and assign> > > > > > them if so but set setuid-root otherwise. The program in turn> > > > > > must know how to drop partial capabilities, and do so only if> > > > > > setuid-root.> > > > > Hi Serge,> > > > > > > > > > > > > > > I have been looking at patch below primarily to learn how we> > > > > could apply a similar technique to security.ima and security.evm> > > > > for a namespaced IMA. From the paragraphs above I thought that you> > > > > solved the problem of a shared filesystem where one now can write> > > > > different security.capability xattrs by effectively supporting for> > > > > example security.capability[uid=1000] and> > > > > security.capability[uid=2000] written into the filesystem. Each> > > > > would then become visible as security.capability if the userns> > > > > mapping is set appropriately.> > > > One disadvantage of this approach is that whoever is setting up the> > > > container would need to go touch the security.ima attribute for each> > > > file in the contianer, which would slow down container creation time.> > > > For capabilities this makes sense, because you might want the file to> > > > have different capabilities in different namespaces, but for IMA,> > > > since the file hash will be the same in every namespace,> > > Actually, this isn't necessarily true: IMA may have the hash, you're> > > right, but I suspect in most container use cases it will have the> > > signature. It's definitely a use case that the container will be using> > > a different keyring from the host, so different signatures are surely> > > possible for the same underlying image file.> > > > > > One might imagine doing the above via overlays, because the new> > > signature should override the old.> > Yes, good point, thanks. Assuming the container and the host are using> > the same keyring, we could design it in such a way that the container> > engine doesn't need to touch every file on creation, which would be> > very nice.> > I don't think this will be the general case. The host may be Ubuntu, the> guest could be Fedora and you'll have different keys. I don't think you> would want the container keys on the host keyring.
I guess it depends: if your entire infrastructure needs to be signed
by your ops team, it would (presumably) all be the same ops key. If
you're running off the shelf stuff from the distros or from a vendor,
probably not, I agree.
Cheers,
Tycho

On 06/13/2017 04:53 PM, Tycho Andersen wrote:
> On Tue, Jun 13, 2017 at 04:49:03PM -0400, Stefan Berger wrote:>> On 06/13/2017 04:46 PM, Tycho Andersen wrote:>>> On Tue, Jun 13, 2017 at 10:45:02AM -0700, James Bottomley wrote:>>>> On Tue, 2017-06-13 at 11:14 -0600, Tycho Andersen via Containers wrote:>>>>> Hi Stefan,>>>>>>>>>> On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote:>>>>>> On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:>>>>>>> Root in a non-initial user ns cannot be trusted to write a>>>>>>> traditional security.capability xattr. If it were allowed to do>>>>>>> so, then any unprivileged user on the host could map his own uid>>>>>>> to root in a private namespace, write the xattr, and execute the>>>>>>> file with privilege on the host.>>>>>>>>>>>>>> However supporting file capabilities in a user namespace is very>>>>>>> desirable. Not doing so means that any programs designed to run>>>>>>> with limited privilege must continue to support other methods of>>>>>>> gaining and dropping privilege. For instance a program installer>>>>>>> must detect whether file capabilities can be assigned, and assign>>>>>>> them if so but set setuid-root otherwise. The program in turn>>>>>>> must know how to drop partial capabilities, and do so only if>>>>>>> setuid-root.>>>>>> Hi Serge,>>>>>>>>>>>>>>>>>> I have been looking at patch below primarily to learn how we>>>>>> could apply a similar technique to security.ima and security.evm>>>>>> for a namespaced IMA. From the paragraphs above I thought that you>>>>>> solved the problem of a shared filesystem where one now can write>>>>>> different security.capability xattrs by effectively supporting for>>>>>> example security.capability[uid=1000] and>>>>>> security.capability[uid=2000] written into the filesystem. Each>>>>>> would then become visible as security.capability if the userns>>>>>> mapping is set appropriately.>>>>> One disadvantage of this approach is that whoever is setting up the>>>>> container would need to go touch the security.ima attribute for each>>>>> file in the contianer, which would slow down container creation time.>>>>> For capabilities this makes sense, because you might want the file to>>>>> have different capabilities in different namespaces, but for IMA,>>>>> since the file hash will be the same in every namespace,>>>> Actually, this isn't necessarily true: IMA may have the hash, you're>>>> right, but I suspect in most container use cases it will have the>>>> signature. It's definitely a use case that the container will be using>>>> a different keyring from the host, so different signatures are surely>>>> possible for the same underlying image file.>>>>>>>> One might imagine doing the above via overlays, because the new>>>> signature should override the old.>>> Yes, good point, thanks. Assuming the container and the host are using>>> the same keyring, we could design it in such a way that the container>>> engine doesn't need to touch every file on creation, which would be>>> very nice.>> I don't think this will be the general case. The host may be Ubuntu, the>> guest could be Fedora and you'll have different keys. I don't think you>> would want the container keys on the host keyring.> I guess it depends: if your entire infrastructure needs to be signed> by your ops team, it would (presumably) all be the same ops key. If> you're running off the shelf stuff from the distros or from a vendor,> probably not, I agree.
I think this will largely depend on how IMA works with namespaces. In
the prototype I mention we had each container have its own _ima keyring
and the public keys were inside the container at the typical location
(for physical machines) and the mgmt. stack (docker) basically emulating
what the initramfs scripts are doing, which is loading all keys from
/etc/keys/ima into that keyring.
Stefan
> Cheers,>> Tycho>

On Tue, 2017-06-13 at 14:53 -0600, Tycho Andersen wrote:
> On Tue, Jun 13, 2017 at 04:49:03PM -0400, Stefan Berger wrote:> > On 06/13/2017 04:46 PM, Tycho Andersen wrote:> > > On Tue, Jun 13, 2017 at 10:45:02AM -0700, James Bottomley wrote:> > > > On Tue, 2017-06-13 at 11:14 -0600, Tycho Andersen via Containers wrote:> > > > > Hi Stefan,> > > > > > > > > > On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote:> > > > > > On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:> > > > > > > Root in a non-initial user ns cannot be trusted to write a> > > > > > > traditional security.capability xattr. If it were allowed to do> > > > > > > so, then any unprivileged user on the host could map his own uid> > > > > > > to root in a private namespace, write the xattr, and execute the> > > > > > > file with privilege on the host.> > > > > > > > > > > > > > However supporting file capabilities in a user namespace is very> > > > > > > desirable. Not doing so means that any programs designed to run> > > > > > > with limited privilege must continue to support other methods of> > > > > > > gaining and dropping privilege. For instance a program installer> > > > > > > must detect whether file capabilities can be assigned, and assign> > > > > > > them if so but set setuid-root otherwise. The program in turn> > > > > > > must know how to drop partial capabilities, and do so only if> > > > > > > setuid-root.> > > > > > Hi Serge,> > > > > > > > > > > > > > > > > > I have been looking at patch below primarily to learn how we> > > > > > could apply a similar technique to security.ima and security.evm> > > > > > for a namespaced IMA. From the paragraphs above I thought that you> > > > > > solved the problem of a shared filesystem where one now can write> > > > > > different security.capability xattrs by effectively supporting for> > > > > > example security.capability[uid=1000] and> > > > > > security.capability[uid=2000] written into the filesystem. Each> > > > > > would then become visible as security.capability if the userns> > > > > > mapping is set appropriately.> > > > > One disadvantage of this approach is that whoever is setting up the> > > > > container would need to go touch the security.ima attribute for each> > > > > file in the contianer, which would slow down container creation time.> > > > > For capabilities this makes sense, because you might want the file to> > > > > have different capabilities in different namespaces, but for IMA,> > > > > since the file hash will be the same in every namespace,> > > > Actually, this isn't necessarily true: IMA may have the hash, you're> > > > right, but I suspect in most container use cases it will have the> > > > signature. It's definitely a use case that the container will be using> > > > a different keyring from the host, so different signatures are surely> > > > possible for the same underlying image file.> > > > > > > > One might imagine doing the above via overlays, because the new> > > > signature should override the old.> > > Yes, good point, thanks. Assuming the container and the host are using> > > the same keyring, we could design it in such a way that the container> > > engine doesn't need to touch every file on creation, which would be> > > very nice.> > > > I don't think this will be the general case. The host may be Ubuntu, the> > guest could be Fedora and you'll have different keys. I don't think you> > would want the container keys on the host keyring.> > I guess it depends: if your entire infrastructure needs to be signed> by your ops team, it would (presumably) all be the same ops key. If> you're running off the shelf stuff from the distros or from a vendor,> probably not, I agree.
Assuming you want to support container specific executables, you would
want them specifically signed by a key not on the system IMA keyring.
Mimi

On Tue, Jun 13, 2017 at 04:59:30PM -0400, Mimi Zohar wrote:
> Assuming you want to support container specific executables, you would> want them specifically signed by a key not on the system IMA keyring.
Yes, this is a good point.
Cheers,
Tycho

Quoting Serge E. Hallyn (serge@hallyn.com):
> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):> > On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:> > >Root in a non-initial user ns cannot be trusted to write a traditional> > >security.capability xattr. If it were allowed to do so, then any> > >unprivileged user on the host could map his own uid to root in a private> > >namespace, write the xattr, and execute the file with privilege on the> > >host.> > >> > >However supporting file capabilities in a user namespace is very> > >desirable. Not doing so means that any programs designed to run with> > >limited privilege must continue to support other methods of gaining and> > >dropping privilege. For instance a program installer must detect> > >whether file capabilities can be assigned, and assign them if so but set> > >setuid-root otherwise. The program in turn must know how to drop> > >partial capabilities, and do so only if setuid-root.> > > > Hi Serge,> > > > > > I have been looking at patch below primarily to learn how we could> > apply a similar technique to security.ima and security.evm for a> > namespaced IMA. From the paragraphs above I thought that you solved> > the problem of a shared filesystem where one now can write different> > security.capability xattrs by effectively supporting for example> > security.capability[uid=1000] and security.capability[uid=2000]> > Interesting idea. Worth considering.> > > written into the filesystem. Each would then become visible as> > security.capability if the userns mapping is set appropriately.> > However, this doesn't seem to be how it is implemented. There seems> > Indeed, when I was considering supporting multiple simulatenous> xattrs, I did it as something like:> > struct vfs_ns_cap_data {> struct {> __le32 permitted;> __le32 inheritable;> } data[VFS_CAP_U32];> __le32 rootid;> };> > struct vfs_ns_cap {> __le32 magic_etc;> __le32 n_entries;> struct ns_cap_data data[0];> }; // followed by n_entries of struct ns_cap_data> > You're instead suggesting encoding the rootuid in the name,> which is interesting.> > > to be only a single such entry with uid appended to it and, if it> > was a shared filesystem, the first one to set this attribute blocks> > everyone else from writing the xattr. Is that how it works? Would> > Approximately - indeed there is only a single xattr. But it can be> overwritten, so long as the writer has CAP_SETFCAP over the user_ns> which mounted the filesystem.
Hang on. I've mis-spoken. That's the requirement for writing a
v2 xattr. To write a v3 xattr you only need to be privileged
(with CAP_SETFCAP) against the inode.

Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):
> On 06/13/2017 01:18 PM, Serge E. Hallyn wrote:> >Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):> >>On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:> >>>Root in a non-initial user ns cannot be trusted to write a traditional> >>>security.capability xattr. If it were allowed to do so, then any> >>>unprivileged user on the host could map his own uid to root in a private> >>>namespace, write the xattr, and execute the file with privilege on the> >>>host.> >>>> >>>However supporting file capabilities in a user namespace is very> >>>desirable. Not doing so means that any programs designed to run with> >>>limited privilege must continue to support other methods of gaining and> >>>dropping privilege. For instance a program installer must detect> >>>whether file capabilities can be assigned, and assign them if so but set> >>>setuid-root otherwise. The program in turn must know how to drop> >>>partial capabilities, and do so only if setuid-root.> >>Hi Serge,> >>> >>> >> I have been looking at patch below primarily to learn how we could> >>apply a similar technique to security.ima and security.evm for a> >>namespaced IMA. From the paragraphs above I thought that you solved> >>the problem of a shared filesystem where one now can write different> >>security.capability xattrs by effectively supporting for example> >>security.capability[uid=1000] and security.capability[uid=2000]> >>written into the filesystem. Each would then become visible as> >>security.capability if the userns mapping is set appropriately.> >>However, this doesn't seem to be how it is implemented. There seems> >>to be only a single such entry with uid appended to it and, if it> >>was a shared filesystem, the first one to set this attribute blocks> >>everyone else from writing the xattr. Is that how it works? Would> >Yes, that's how this works here. I'd considered allowing multiple> >entries, but I didn't feel that was needed for this case. In a previous> >implementation (which is probably in the lkml archives somewhere) I> >supported variable length xattr so that multiple containers could> >each write a value tagged with their own userns.rootid. Instead,> >in the final version, if root in any parent container writes an> >xattr, it will take effect in child user namespaces. Which is> >sensible - the parent presumbly laid out the filesystem to create> >the child container.> >> >>that work differently with an overlay filesystem ? I think a similar> >Certainly an overlay filesystem should be an easy case as the container> >can have its own copy of the inode with its own xattr. Btrfs/zfs> >would be nicer as the whole file wouldn't need to be copied.> >> >>model could also work for IMA, but maybe you have some thoughts. The> >>only thing I would be concerned about is blocking the parent> >>container's root user from setting an xattr.> >So if you have container c1 creating child container c2 on host h1,> >then if c1 creates an xattr, can c2 not use that? And if h1 writes it,> >can c1 and c2 use it?> > In the case of IMA appraisal the extended attribute security.ima> would be a signature. For c1 and c2 to use that file they would all> have to have the same key on their (isolated IMA namespace )> keyring. I think this type of setup could be arranged.
Ok. If it's too much of a restriction then certainly we can make
it more flexible. I don't think we want to support too many versions
of magic in this code, so if there's a chance we'll want to make it
more flexible later, then perhaps we should discuss the other options
in more detail now.
> Following your attack description in the introduction I would say> that we would want to prevent malicious modification of a> security.ima extended attribute:> > "Root in a non-initial user ns cannot be trusted to write a traditional security.ima xattr. If it were allowed to do so, then any unprivileged user on the host could map his own uid to root in a private namespace, write the signature in the security.ima xattr, and prevent the file from being accessible on the host."
Of course.
The way this is handled with nsfscaps is not by just forbidding the
write, but by only respecting the xattr if the rootid which was
written in the xattr (which is translated and enforced by the kernel
at write time) is root in the caller's user_ns or a parent thereof.
I think that would suffice for ima as well?
> >If they can't, then I guess for IMA multiple xattrs would need to be> >supported.> > I am not sure about that. I suppose any extended attribute> modifications would have to be designed for the case where a shared> filesystem is used that also shares the extended attributes, not> assuming an overlay filesystem that automatically isolates the> extend attributes. With the shared filesystem I'd like to prevent> any type of setting of extended attributes by a child container or> more generally anyone mounting it as a '2nd consumer', which would> make it a shared filesystem. Only the process that mounts a> filesystem as the '1st consumer' would be able to set the extended> attributes.
Right, again that's currently the case in the nscaps patch.
> I am assuming that using an overlay fs would always make> you the '1st consumer' -- I would hope that these conditions could> be detected. And probably the process should also write along its> host uid as part of writing out the xattr.
I think that's what the rootid in the nscaps xattr is.
> If all extended> attributes were to support this model, maybe the 'uid' could be> associated with the 'name' of the xattr rather than its 'value' (not> sure whether that's possible).
Right, I missed that in your original email when I saw it this morning.
It's not what my patch does, but it's an interesting idea. Do you have
a patch to that effect? We might even be able to generalize that to
namespace any security.* xattrs. Wouldn't be automatically enabled
for anything but ima and capabilities, but we could make the infrastructure
generic and re-usable.

On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:
> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>> On 06/13/2017 01:18 PM, Serge E. Hallyn wrote:>>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>>> On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:>>>>> Root in a non-initial user ns cannot be trusted to write a traditional>>>>> security.capability xattr. If it were allowed to do so, then any>>>>> unprivileged user on the host could map his own uid to root in a private>>>>> namespace, write the xattr, and execute the file with privilege on the>>>>> host.>>>>>>>>>> However supporting file capabilities in a user namespace is very>>>>> desirable. Not doing so means that any programs designed to run with>>>>> limited privilege must continue to support other methods of gaining and>>>>> dropping privilege. For instance a program installer must detect>>>>> whether file capabilities can be assigned, and assign them if so but set>>>>> setuid-root otherwise. The program in turn must know how to drop>>>>> partial capabilities, and do so only if setuid-root.>>>> Hi Serge,>>>>>>>>>>>> I have been looking at patch below primarily to learn how we could>>>> apply a similar technique to security.ima and security.evm for a>>>> namespaced IMA. From the paragraphs above I thought that you solved>>>> the problem of a shared filesystem where one now can write different>>>> security.capability xattrs by effectively supporting for example>>>> security.capability[uid=1000] and security.capability[uid=2000]>>>> written into the filesystem. Each would then become visible as>>>> security.capability if the userns mapping is set appropriately.>>>> However, this doesn't seem to be how it is implemented. There seems>>>> to be only a single such entry with uid appended to it and, if it>>>> was a shared filesystem, the first one to set this attribute blocks>>>> everyone else from writing the xattr. Is that how it works? Would>>> Yes, that's how this works here. I'd considered allowing multiple>>> entries, but I didn't feel that was needed for this case. In a previous>>> implementation (which is probably in the lkml archives somewhere) I>>> supported variable length xattr so that multiple containers could>>> each write a value tagged with their own userns.rootid. Instead,>>> in the final version, if root in any parent container writes an>>> xattr, it will take effect in child user namespaces. Which is>>> sensible - the parent presumbly laid out the filesystem to create>>> the child container.>>>>>>> that work differently with an overlay filesystem ? I think a similar>>> Certainly an overlay filesystem should be an easy case as the container>>> can have its own copy of the inode with its own xattr. Btrfs/zfs>>> would be nicer as the whole file wouldn't need to be copied.>>>>>>> model could also work for IMA, but maybe you have some thoughts. The>>>> only thing I would be concerned about is blocking the parent>>>> container's root user from setting an xattr.>>> So if you have container c1 creating child container c2 on host h1,>>> then if c1 creates an xattr, can c2 not use that? And if h1 writes it,>>> can c1 and c2 use it?>> In the case of IMA appraisal the extended attribute security.ima>> would be a signature. For c1 and c2 to use that file they would all>> have to have the same key on their (isolated IMA namespace )>> keyring. I think this type of setup could be arranged.> Ok. If it's too much of a restriction then certainly we can make> it more flexible. I don't think we want to support too many versions> of magic in this code, so if there's a chance we'll want to make it> more flexible later, then perhaps we should discuss the other options> in more detail now.>>> Following your attack description in the introduction I would say>> that we would want to prevent malicious modification of a>> security.ima extended attribute:>>>> "Root in a non-initial user ns cannot be trusted to write a traditional security.ima xattr. If it were allowed to do so, then any unprivileged user on the host could map his own uid to root in a private namespace, write the signature in the security.ima xattr, and prevent the file from being accessible on the host."> Of course.>> The way this is handled with nsfscaps is not by just forbidding the> write, but by only respecting the xattr if the rootid which was> written in the xattr (which is translated and enforced by the kernel> at write time) is root in the caller's user_ns or a parent thereof.>> I think that would suffice for ima as well?>>>> If they can't, then I guess for IMA multiple xattrs would need to be>>> supported.>> I am not sure about that. I suppose any extended attribute>> modifications would have to be designed for the case where a shared>> filesystem is used that also shares the extended attributes, not>> assuming an overlay filesystem that automatically isolates the>> extend attributes. With the shared filesystem I'd like to prevent>> any type of setting of extended attributes by a child container or>> more generally anyone mounting it as a '2nd consumer', which would>> make it a shared filesystem. Only the process that mounts a>> filesystem as the '1st consumer' would be able to set the extended>> attributes.> Right, again that's currently the case in the nscaps patch.>>> I am assuming that using an overlay fs would always make>> you the '1st consumer' -- I would hope that these conditions could>> be detected. And probably the process should also write along its>> host uid as part of writing out the xattr.> I think that's what the rootid in the nscaps xattr is.>>> If all extended>> attributes were to support this model, maybe the 'uid' could be>> associated with the 'name' of the xattr rather than its 'value' (not>> sure whether that's possible).> Right, I missed that in your original email when I saw it this morning.> It's not what my patch does, but it's an interesting idea. Do you have> a patch to that effect? We might even be able to generalize that to
No, I don't have a patch. It may not be possible to implement it. The
xattr_handler's take the name of the xattr as input to get(). So one
could try to encode the mapped uid in the name. However, that could lead
to problems with stale xattrs in a shared filesystem over time unless
one could limit the number of xattrs with the same prefix, e.g.,
security.capability*. So I doubt that it would work. Otherwise it would
be good if the value was wrapped in a data structure use by all xattrs,
but that doesn't seem to be the case, either. So I guess we have to go
into each type of value structure and add a uid field there.
> namespace any security.* xattrs. Wouldn't be automatically enabled> for anything but ima and capabilities, but we could make the infrastructure> generic and re-usable.>

On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:
> On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:> >Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):> >> If all extended> >>attributes were to support this model, maybe the 'uid' could be> >>associated with the 'name' of the xattr rather than its 'value' (not> >>sure whether that's possible).> >Right, I missed that in your original email when I saw it this morning.> >It's not what my patch does, but it's an interesting idea. Do you have> >a patch to that effect? We might even be able to generalize that to> > No, I don't have a patch. It may not be possible to implement it.> The xattr_handler's take the name of the xattr as input to get().
That may be ok though. Assume the host created a container with
100000 as the uid for root, which created a container with 130000 as
uid for root. If root in the nested container tries to read the
xattr, the kernel can check for security.foo[130000] first, then
security.foo[100000], then security.foo. Or, it can do a listxattr
and look for those. Am I overlooking one?
> So one could try to encode the mapped uid in the name. However, that
I thought that's exactly what you were suggesting in your original
email? "security.capability[uid=2000]"
> could lead to problems with stale xattrs in a shared filesystem over> time unless one could limit the number of xattrs with the same> prefix, e.g., security.capability*. So I doubt that it would work.
Hm. Yeah. But really how many setups are there like that? I.e. if
you launch a regular docker or lxd container, the image doesn't do a
bind mount of a shared image, it layers something above it or does a
copy. What setups do you know of where multiple containers in different
user namespaces mount the same filesystem shared and writeable?
> Otherwise it would be good if the value was wrapped in a data> structure use by all xattrs, but that doesn't seem to be the case,> either. So I guess we have to go into each type of value structure> and add a uid field there.> > >namespace any security.* xattrs. Wouldn't be automatically enabled> >for anything but ima and capabilities, but we could make the infrastructure> >generic and re-usable.> >

> "Serge E. Hallyn" <serge@hallyn.com> hat am 15. Juni 2017 um 05:05 geschrieben:> > > On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:> > On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:> > >Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):> > >> If all extended> > >>attributes were to support this model, maybe the 'uid' could be> > >>associated with the 'name' of the xattr rather than its 'value' (not> > >>sure whether that's possible).> > >Right, I missed that in your original email when I saw it this morning.> > >It's not what my patch does, but it's an interesting idea. Do you have> > >a patch to that effect? We might even be able to generalize that to> > > > No, I don't have a patch. It may not be possible to implement it.> > The xattr_handler's take the name of the xattr as input to get().> > That may be ok though. Assume the host created a container with> 100000 as the uid for root, which created a container with 130000 as> uid for root. If root in the nested container tries to read the> xattr, the kernel can check for security.foo[130000] first, then> security.foo[100000], then security.foo. Or, it can do a listxattr> and look for those. Am I overlooking one?> > > So one could try to encode the mapped uid in the name. However, that> > I thought that's exactly what you were suggesting in your original> email? "security.capability[uid=2000]"> > > could lead to problems with stale xattrs in a shared filesystem over> > time unless one could limit the number of xattrs with the same> > prefix, e.g., security.capability*. So I doubt that it would work.> > Hm. Yeah. But really how many setups are there like that? I.e. if> you launch a regular docker or lxd container, the image doesn't do a> bind mount of a shared image, it layers something above it or does a> copy. What setups do you know of where multiple containers in different> user namespaces mount the same filesystem shared and writeable?
Iiuc, this should also be something that will be addressed by a viable shifts
solution so it's probably not worth worrying about it here. I was going to
point out that there are plans of sharing filesystems between containers
in different user namespaces. However, without shifts this really will only
work nicely if the container's setup identical id mappings in which case you
won't have to worry about stale xattrs.
> > > Otherwise it would be good if the value was wrapped in a data> > structure use by all xattrs, but that doesn't seem to be the case,> > either. So I guess we have to go into each type of value structure> > and add a uid field there.> > > > >namespace any security.* xattrs. Wouldn't be automatically enabled> > >for anything but ima and capabilities, but we could make the infrastructure> > >generic and re-usable.> > >> _______________________________________________> Containers mailing list> Containers@lists.linux-foundation.org> https://lists.linuxfoundation.org/mailman/listinfo/containers

On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:
> On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:>> On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:>>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>>> If all extended>>>> attributes were to support this model, maybe the 'uid' could be>>>> associated with the 'name' of the xattr rather than its 'value' (not>>>> sure whether that's possible).>>> Right, I missed that in your original email when I saw it this morning.>>> It's not what my patch does, but it's an interesting idea. Do you have>>> a patch to that effect? We might even be able to generalize that to>> No, I don't have a patch. It may not be possible to implement it.>> The xattr_handler's take the name of the xattr as input to get().> That may be ok though. Assume the host created a container with> 100000 as the uid for root, which created a container with 130000 as> uid for root. If root in the nested container tries to read the> xattr, the kernel can check for security.foo[130000] first, then> security.foo[100000], then security.foo. Or, it can do a listxattr> and look for those. Am I overlooking one?
So that sounds like a child would 'inherit' the value of an xattr from
the closest parent if it doesn't have one itself. I guess it would
depend on the xattr whether that should apply? And removing an xattr
becomes difficult then if the parent container's xattr always shines
through...
>>> So one could try to encode the mapped uid in the name. However, that> I thought that's exactly what you were suggesting in your original> email? "security.capability[uid=2000]">>> could lead to problems with stale xattrs in a shared filesystem over>> time unless one could limit the number of xattrs with the same>> prefix, e.g., security.capability*. So I doubt that it would work.> Hm. Yeah. But really how many setups are there like that? I.e. if> you launch a regular docker or lxd container, the image doesn't do a> bind mount of a shared image, it layers something above it or does a> copy. What setups do you know of where multiple containers in different> user namespaces mount the same filesystem shared and writeable?
So you think it's a good idea? I am not sure when I would get to it,
though...
Stefan
>>> Otherwise it would be good if the value was wrapped in a data>> structure use by all xattrs, but that doesn't seem to be the case,>> either. So I guess we have to go into each type of value structure>> and add a uid field there.>>>>> namespace any security.* xattrs. Wouldn't be automatically enabled>>> for anything but ima and capabilities, but we could make the infrastructure>>> generic and re-usable.>>>

On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:
> On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:>> On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:>>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>>> If all extended>>>> attributes were to support this model, maybe the 'uid' could be>>>> associated with the 'name' of the xattr rather than its 'value' (not>>>> sure whether that's possible).>>> Right, I missed that in your original email when I saw it this morning.>>> It's not what my patch does, but it's an interesting idea. Do you have>>> a patch to that effect? We might even be able to generalize that to>> No, I don't have a patch. It may not be possible to implement it.>> The xattr_handler's take the name of the xattr as input to get().> That may be ok though. Assume the host created a container with> 100000 as the uid for root, which created a container with 130000 as> uid for root. If root in the nested container tries to read the> xattr, the kernel can check for security.foo[130000] first, then> security.foo[100000], then security.foo. Or, it can do a listxattr> and look for those. Am I overlooking one?>>> So one could try to encode the mapped uid in the name. However, that> I thought that's exactly what you were suggesting in your original> email? "security.capability[uid=2000]">>> could lead to problems with stale xattrs in a shared filesystem over>> time unless one could limit the number of xattrs with the same>> prefix, e.g., security.capability*. So I doubt that it would work.> Hm. Yeah. But really how many setups are there like that? I.e. if> you launch a regular docker or lxd container, the image doesn't do a> bind mount of a shared image, it layers something above it or does a> copy. What setups do you know of where multiple containers in different> user namespaces mount the same filesystem shared and writeable?
I think I have something now that accomodates userns access to
security.capability:
https://github.com/stefanberger/linux/commits/xattr_for_userns
Encoding of uid is in the attribute name now as follows:
security.foo@uid=<uid>
1) The 'plain' security.capability is only r/w accessible from the host
(init_user_ns).
2) When userns reads/writes 'security.capability' it will read/write
security.capability@uid=<uid> instead, with uid being the uid of root ,
e.g. 1000.
3) When listing xattrs for userns the host's security.capability is
filtered out to avoid read failures iof 'security.capability' if
security.capability@uid=<uid> is read but not there. (see 1) and 2))
4) security.capability* may all be read from anywhere
5) security.capability@uid=<uid> may be read or written directly from a
userns if <uid> matches the uid of root (current_uid())
6) security.capability@* are 'reserved' and may be read but not written
to unless 5) applies.
Similat, from the text of one of the functions in the code:
+ * In a user namespace we prevent read/write accesses to the _host's_
+ * security.foo to protect these extended attributes.
+ *
+ * Reading: Reading security.foo from a user namespace will read
+ * security.foo@uid=<uid> instead. Reading security.foo@uid=<uid> directly
+ * also works. In general, all security.foo*, except for security.foo
of the
+ * host, can be read from a user namespace.
+ *
+ * Writing: Writing security.foo from a user namespace will write
+ * security.foo@uid=<uid> instead. Writing security.foo@uid=<uid> directly
+ * also work.s No other security.foo* attributes, including the
security.foo
+ * offthe host, can be written to. All security.foo@* are 'reserved'.
+ *
+ * Removing: The same rules for writing apply to removing of extended
+ * attributes from a user namespace.
Stefan

Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):
> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:> >On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:> >>On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:> >>>Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):> >>>> If all extended> >>>>attributes were to support this model, maybe the 'uid' could be> >>>>associated with the 'name' of the xattr rather than its 'value' (not> >>>>sure whether that's possible).> >>>Right, I missed that in your original email when I saw it this morning.> >>>It's not what my patch does, but it's an interesting idea. Do you have> >>>a patch to that effect? We might even be able to generalize that to> >>No, I don't have a patch. It may not be possible to implement it.> >>The xattr_handler's take the name of the xattr as input to get().> >That may be ok though. Assume the host created a container with> >100000 as the uid for root, which created a container with 130000 as> >uid for root. If root in the nested container tries to read the> >xattr, the kernel can check for security.foo[130000] first, then> >security.foo[100000], then security.foo. Or, it can do a listxattr> >and look for those. Am I overlooking one?> >> >>So one could try to encode the mapped uid in the name. However, that> >I thought that's exactly what you were suggesting in your original> >email? "security.capability[uid=2000]"> >> >>could lead to problems with stale xattrs in a shared filesystem over> >>time unless one could limit the number of xattrs with the same> >>prefix, e.g., security.capability*. So I doubt that it would work.> >Hm. Yeah. But really how many setups are there like that? I.e. if> >you launch a regular docker or lxd container, the image doesn't do a> >bind mount of a shared image, it layers something above it or does a> >copy. What setups do you know of where multiple containers in different> >user namespaces mount the same filesystem shared and writeable?> > I think I have something now that accomodates userns access to> security.capability:> > https://github.com/stefanberger/linux/commits/xattr_for_userns
Thanks!
> Encoding of uid is in the attribute name now as follows:> security.foo@uid=<uid>> > 1) The 'plain' security.capability is only r/w accessible from the> host (init_user_ns).> 2) When userns reads/writes 'security.capability' it will read/write> security.capability@uid=<uid> instead, with uid being the uid of> root , e.g. 1000.> 3) When listing xattrs for userns the host's security.capability is> filtered out to avoid read failures iof 'security.capability' if> security.capability@uid=<uid> is read but not there. (see 1) and 2))> 4) security.capability* may all be read from anywhere> 5) security.capability@uid=<uid> may be read or written directly> from a userns if <uid> matches the uid of root (current_uid())
This looks very close to what we want. One exception - we do want
to support root in a user namespace being able to write
security.capability@uid=<x> where <x> is a valid uid mapped in its
namespace. In that case the name should be rewritten to be
security.capability@uid=<y> where y is the unmapped kuid.val.
Eric,
so far my patch hasn't yet hit Linus' tree. Given that, would you
mind taking a look and seeing what you think of this approach? If
we may decide to go this route, we probably should stop my patch
from hitting Linus' tree before we have to continue supporting it.
Stefan,
so do you think the general framework could be re-used by IMA? If
we can move the capability-specific code in fs/xattr.c into
an LSM hook in a way that IMA can also use, then this is a definite
win.
-serge

On 06/18/2017 06:14 PM, Serge E. Hallyn wrote:
> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:>>> On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:>>>> On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:>>>>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>>>>> If all extended>>>>>> attributes were to support this model, maybe the 'uid' could be>>>>>> associated with the 'name' of the xattr rather than its 'value' (not>>>>>> sure whether that's possible).>>>>> Right, I missed that in your original email when I saw it this morning.>>>>> It's not what my patch does, but it's an interesting idea. Do you have>>>>> a patch to that effect? We might even be able to generalize that to>>>> No, I don't have a patch. It may not be possible to implement it.>>>> The xattr_handler's take the name of the xattr as input to get().>>> That may be ok though. Assume the host created a container with>>> 100000 as the uid for root, which created a container with 130000 as>>> uid for root. If root in the nested container tries to read the>>> xattr, the kernel can check for security.foo[130000] first, then>>> security.foo[100000], then security.foo. Or, it can do a listxattr>>> and look for those. Am I overlooking one?>>>>>>> So one could try to encode the mapped uid in the name. However, that>>> I thought that's exactly what you were suggesting in your original>>> email? "security.capability[uid=2000]">>>>>>> could lead to problems with stale xattrs in a shared filesystem over>>>> time unless one could limit the number of xattrs with the same>>>> prefix, e.g., security.capability*. So I doubt that it would work.>>> Hm. Yeah. But really how many setups are there like that? I.e. if>>> you launch a regular docker or lxd container, the image doesn't do a>>> bind mount of a shared image, it layers something above it or does a>>> copy. What setups do you know of where multiple containers in different>>> user namespaces mount the same filesystem shared and writeable?>> I think I have something now that accomodates userns access to>> security.capability:>>>> https://github.com/stefanberger/linux/commits/xattr_for_userns> Thanks!>>> Encoding of uid is in the attribute name now as follows:>> security.foo@uid=<uid>>>>> 1) The 'plain' security.capability is only r/w accessible from the>> host (init_user_ns).>> 2) When userns reads/writes 'security.capability' it will read/write>> security.capability@uid=<uid> instead, with uid being the uid of>> root , e.g. 1000.>> 3) When listing xattrs for userns the host's security.capability is>> filtered out to avoid read failures iof 'security.capability' if>> security.capability@uid=<uid> is read but not there. (see 1) and 2))>> 4) security.capability* may all be read from anywhere>> 5) security.capability@uid=<uid> may be read or written directly>> from a userns if <uid> matches the uid of root (current_uid())> This looks very close to what we want. One exception - we do want> to support root in a user namespace being able to write> security.capability@uid=<x> where <x> is a valid uid mapped in its> namespace. In that case the name should be rewritten to be> security.capability@uid=<y> where y is the unmapped kuid.val.
I'll try to write a patch on top of the existing one.
Can you adapt your test cases. I haven't tried them, but having them
would be important.
>> Eric,>> so far my patch hasn't yet hit Linus' tree. Given that, would you> mind taking a look and seeing what you think of this approach? If> we may decide to go this route, we probably should stop my patch> from hitting Linus' tree before we have to continue supporting it.>> Stefan,>> so do you think the general framework could be re-used by IMA? If> we can move the capability-specific code in fs/xattr.c into> an LSM hook in a way that IMA can also use, then this is a definite> win.
I am fairly sure that this would be easily possible and some of the if
statements with string comparisons would likely only have to be extended
with another comparison.
Regards,
Stefan
>> -serge>

On 06/18/2017 09:13 PM, Stefan Berger wrote:
> On 06/18/2017 06:14 PM, Serge E. Hallyn wrote:>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:>>>> On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:>>>>> On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:>>>>>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>>>>>> If all extended>>>>>>> attributes were to support this model, maybe the 'uid' could be>>>>>>> associated with the 'name' of the xattr rather than its 'value' >>>>>>> (not>>>>>>> sure whether that's possible).>>>>>> Right, I missed that in your original email when I saw it this >>>>>> morning.>>>>>> It's not what my patch does, but it's an interesting idea. Do >>>>>> you have>>>>>> a patch to that effect? We might even be able to generalize that to>>>>> No, I don't have a patch. It may not be possible to implement it.>>>>> The xattr_handler's take the name of the xattr as input to get().>>>> That may be ok though. Assume the host created a container with>>>> 100000 as the uid for root, which created a container with 130000 as>>>> uid for root. If root in the nested container tries to read the>>>> xattr, the kernel can check for security.foo[130000] first, then>>>> security.foo[100000], then security.foo. Or, it can do a listxattr>>>> and look for those. Am I overlooking one?>>>>>>>>> So one could try to encode the mapped uid in the name. However, that>>>> I thought that's exactly what you were suggesting in your original>>>> email? "security.capability[uid=2000]">>>>>>>>> could lead to problems with stale xattrs in a shared filesystem over>>>>> time unless one could limit the number of xattrs with the same>>>>> prefix, e.g., security.capability*. So I doubt that it would work.>>>> Hm. Yeah. But really how many setups are there like that? I.e. if>>>> you launch a regular docker or lxd container, the image doesn't do a>>>> bind mount of a shared image, it layers something above it or does a>>>> copy. What setups do you know of where multiple containers in >>>> different>>>> user namespaces mount the same filesystem shared and writeable?>>> I think I have something now that accomodates userns access to>>> security.capability:>>>>>> https://github.com/stefanberger/linux/commits/xattr_for_userns>> Thanks!>>>>> Encoding of uid is in the attribute name now as follows:>>> security.foo@uid=<uid>>>>>>> 1) The 'plain' security.capability is only r/w accessible from the>>> host (init_user_ns).>>> 2) When userns reads/writes 'security.capability' it will read/write>>> security.capability@uid=<uid> instead, with uid being the uid of>>> root , e.g. 1000.>>> 3) When listing xattrs for userns the host's security.capability is>>> filtered out to avoid read failures iof 'security.capability' if>>> security.capability@uid=<uid> is read but not there. (see 1) and 2))>>> 4) security.capability* may all be read from anywhere>>> 5) security.capability@uid=<uid> may be read or written directly>>> from a userns if <uid> matches the uid of root (current_uid())>> This looks very close to what we want. One exception - we do want>> to support root in a user namespace being able to write>> security.capability@uid=<x> where <x> is a valid uid mapped in its>> namespace. In that case the name should be rewritten to be>> security.capability@uid=<y> where y is the unmapped kuid.val.>> I'll try to write a patch on top of the existing one.
Did that now in a 2nd patch (that also fixes a few problems of the 1st).
In a user ns mapped to 1000 root can write security.capability@uid=123,
which then ends up writing to security.capability@uid=1123. The reading
also works with @uid=123. When listing xattrs only those get shown that
actually have valid mappings.
https://github.com/stefanberger/linux/commits/xattr_for_userns
Stefan

"Serge E. Hallyn" <serge@hallyn.com> writes:
> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:>> >On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:>> >>On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:>> >>>Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>> >>>> If all extended>> >>>>attributes were to support this model, maybe the 'uid' could be>> >>>>associated with the 'name' of the xattr rather than its 'value' (not>> >>>>sure whether that's possible).>> >>>Right, I missed that in your original email when I saw it this morning.>> >>>It's not what my patch does, but it's an interesting idea. Do you have>> >>>a patch to that effect? We might even be able to generalize that to>> >>No, I don't have a patch. It may not be possible to implement it.>> >>The xattr_handler's take the name of the xattr as input to get().>> >That may be ok though. Assume the host created a container with>> >100000 as the uid for root, which created a container with 130000 as>> >uid for root. If root in the nested container tries to read the>> >xattr, the kernel can check for security.foo[130000] first, then>> >security.foo[100000], then security.foo. Or, it can do a listxattr>> >and look for those. Am I overlooking one?>> >>> >>So one could try to encode the mapped uid in the name. However, that>> >I thought that's exactly what you were suggesting in your original>> >email? "security.capability[uid=2000]">> >>> >>could lead to problems with stale xattrs in a shared filesystem over>> >>time unless one could limit the number of xattrs with the same>> >>prefix, e.g., security.capability*. So I doubt that it would work.>> >Hm. Yeah. But really how many setups are there like that? I.e. if>> >you launch a regular docker or lxd container, the image doesn't do a>> >bind mount of a shared image, it layers something above it or does a>> >copy. What setups do you know of where multiple containers in different>> >user namespaces mount the same filesystem shared and writeable?>> >> I think I have something now that accomodates userns access to>> security.capability:>> >> https://github.com/stefanberger/linux/commits/xattr_for_userns>> Thanks!>>> Encoding of uid is in the attribute name now as follows:>> security.foo@uid=<uid>>> >> 1) The 'plain' security.capability is only r/w accessible from the>> host (init_user_ns).>> 2) When userns reads/writes 'security.capability' it will read/write>> security.capability@uid=<uid> instead, with uid being the uid of>> root , e.g. 1000.>> 3) When listing xattrs for userns the host's security.capability is>> filtered out to avoid read failures iof 'security.capability' if>> security.capability@uid=<uid> is read but not there. (see 1) and 2))>> 4) security.capability* may all be read from anywhere>> 5) security.capability@uid=<uid> may be read or written directly>> from a userns if <uid> matches the uid of root (current_uid())>> This looks very close to what we want. One exception - we do want> to support root in a user namespace being able to write> security.capability@uid=<x> where <x> is a valid uid mapped in its> namespace. In that case the name should be rewritten to be> security.capability@uid=<y> where y is the unmapped kuid.val.>> Eric,>> so far my patch hasn't yet hit Linus' tree. Given that, would you> mind taking a look and seeing what you think of this approach? If> we may decide to go this route, we probably should stop my patch> from hitting Linus' tree before we have to continue supporting it.
Agreed. I will take a look. I also want to see how all of this works
in the context of stackable filesystems. As that is the one case that
looked like it could be a problem case in your current patchset.
Eric

On Tue, Jun 20, 2017 at 12:34 AM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
> "Serge E. Hallyn" <serge@hallyn.com> writes:>>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:>>> >On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:>>> >>On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:>>> >>>Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>> >>>> If all extended>>> >>>>attributes were to support this model, maybe the 'uid' could be>>> >>>>associated with the 'name' of the xattr rather than its 'value' (not>>> >>>>sure whether that's possible).>>> >>>Right, I missed that in your original email when I saw it this morning.>>> >>>It's not what my patch does, but it's an interesting idea. Do you have>>> >>>a patch to that effect? We might even be able to generalize that to>>> >>No, I don't have a patch. It may not be possible to implement it.>>> >>The xattr_handler's take the name of the xattr as input to get().>>> >That may be ok though. Assume the host created a container with>>> >100000 as the uid for root, which created a container with 130000 as>>> >uid for root. If root in the nested container tries to read the>>> >xattr, the kernel can check for security.foo[130000] first, then>>> >security.foo[100000], then security.foo. Or, it can do a listxattr>>> >and look for those. Am I overlooking one?>>> >>>> >>So one could try to encode the mapped uid in the name. However, that>>> >I thought that's exactly what you were suggesting in your original>>> >email? "security.capability[uid=2000]">>> >>>> >>could lead to problems with stale xattrs in a shared filesystem over>>> >>time unless one could limit the number of xattrs with the same>>> >>prefix, e.g., security.capability*. So I doubt that it would work.>>> >Hm. Yeah. But really how many setups are there like that? I.e. if>>> >you launch a regular docker or lxd container, the image doesn't do a>>> >bind mount of a shared image, it layers something above it or does a>>> >copy. What setups do you know of where multiple containers in different>>> >user namespaces mount the same filesystem shared and writeable?>>>>>> I think I have something now that accomodates userns access to>>> security.capability:>>>>>> https://github.com/stefanberger/linux/commits/xattr_for_userns>>>> Thanks!>>>>> Encoding of uid is in the attribute name now as follows:>>> security.foo@uid=<uid>>>>>>> 1) The 'plain' security.capability is only r/w accessible from the>>> host (init_user_ns).>>> 2) When userns reads/writes 'security.capability' it will read/write>>> security.capability@uid=<uid> instead, with uid being the uid of>>> root , e.g. 1000.>>> 3) When listing xattrs for userns the host's security.capability is>>> filtered out to avoid read failures iof 'security.capability' if>>> security.capability@uid=<uid> is read but not there. (see 1) and 2))>>> 4) security.capability* may all be read from anywhere>>> 5) security.capability@uid=<uid> may be read or written directly>>> from a userns if <uid> matches the uid of root (current_uid())>>>> This looks very close to what we want. One exception - we do want>> to support root in a user namespace being able to write>> security.capability@uid=<x> where <x> is a valid uid mapped in its>> namespace. In that case the name should be rewritten to be>> security.capability@uid=<y> where y is the unmapped kuid.val.>>>> Eric,>>>> so far my patch hasn't yet hit Linus' tree. Given that, would you>> mind taking a look and seeing what you think of this approach? If>> we may decide to go this route, we probably should stop my patch>> from hitting Linus' tree before we have to continue supporting it.>> Agreed. I will take a look. I also want to see how all of this works> in the context of stackable filesystems. As that is the one case that> looked like it could be a problem case in your current patchset.>
Apropos stackable filesystems [cc some overlayfs folks], is there any
way that parts of this work could be generalized towards ns aware
trusted@uid.* xattr?
With overlayfs, files are written to underlying fs with mounter's
credentials. How this affects v3 security capabilities and how exactly
security xattrs are handled in overtlayfs I'm not sure. Vivek?
But, if we had an infrastructure to store trusted@<rootid> xattr, then
unprivileged overlayfs mount would become a very reachable goal.
Much closer goal then loop mounting...
Amir.

On Sun, Jun 18, 2017 at 09:13:28PM -0400, Stefan Berger wrote:
> Can you adapt your test cases. I haven't tried them, but having> them would be important.
branch nsfscaps of github.com/hallyn/ltp now has a patch on top
which makes it work with your capabilities. Tests are passing.
thanks,
-serge

On 06/20/2017 01:42 AM, Amir Goldstein wrote:
> On Tue, Jun 20, 2017 at 12:34 AM, Eric W. Biederman> <ebiederm@xmission.com> wrote:>> "Serge E. Hallyn" <serge@hallyn.com> writes:>>>>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>>> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:>>>>> On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:>>>>>> On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:>>>>>>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>>>>>>> If all extended>>>>>>>> attributes were to support this model, maybe the 'uid' could be>>>>>>>> associated with the 'name' of the xattr rather than its 'value' (not>>>>>>>> sure whether that's possible).>>>>>>> Right, I missed that in your original email when I saw it this morning.>>>>>>> It's not what my patch does, but it's an interesting idea. Do you have>>>>>>> a patch to that effect? We might even be able to generalize that to>>>>>> No, I don't have a patch. It may not be possible to implement it.>>>>>> The xattr_handler's take the name of the xattr as input to get().>>>>> That may be ok though. Assume the host created a container with>>>>> 100000 as the uid for root, which created a container with 130000 as>>>>> uid for root. If root in the nested container tries to read the>>>>> xattr, the kernel can check for security.foo[130000] first, then>>>>> security.foo[100000], then security.foo. Or, it can do a listxattr>>>>> and look for those. Am I overlooking one?>>>>>>>>>>> So one could try to encode the mapped uid in the name. However, that>>>>> I thought that's exactly what you were suggesting in your original>>>>> email? "security.capability[uid=2000]">>>>>>>>>>> could lead to problems with stale xattrs in a shared filesystem over>>>>>> time unless one could limit the number of xattrs with the same>>>>>> prefix, e.g., security.capability*. So I doubt that it would work.>>>>> Hm. Yeah. But really how many setups are there like that? I.e. if>>>>> you launch a regular docker or lxd container, the image doesn't do a>>>>> bind mount of a shared image, it layers something above it or does a>>>>> copy. What setups do you know of where multiple containers in different>>>>> user namespaces mount the same filesystem shared and writeable?>>>> I think I have something now that accomodates userns access to>>>> security.capability:>>>>>>>> https://github.com/stefanberger/linux/commits/xattr_for_userns>>> Thanks!>>>>>>> Encoding of uid is in the attribute name now as follows:>>>> security.foo@uid=<uid>>>>>>>>> 1) The 'plain' security.capability is only r/w accessible from the>>>> host (init_user_ns).>>>> 2) When userns reads/writes 'security.capability' it will read/write>>>> security.capability@uid=<uid> instead, with uid being the uid of>>>> root , e.g. 1000.>>>> 3) When listing xattrs for userns the host's security.capability is>>>> filtered out to avoid read failures iof 'security.capability' if>>>> security.capability@uid=<uid> is read but not there. (see 1) and 2))>>>> 4) security.capability* may all be read from anywhere>>>> 5) security.capability@uid=<uid> may be read or written directly>>>> from a userns if <uid> matches the uid of root (current_uid())>>> This looks very close to what we want. One exception - we do want>>> to support root in a user namespace being able to write>>> security.capability@uid=<x> where <x> is a valid uid mapped in its>>> namespace. In that case the name should be rewritten to be>>> security.capability@uid=<y> where y is the unmapped kuid.val.>>>>>> Eric,>>>>>> so far my patch hasn't yet hit Linus' tree. Given that, would you>>> mind taking a look and seeing what you think of this approach? If>>> we may decide to go this route, we probably should stop my patch>>> from hitting Linus' tree before we have to continue supporting it.>> Agreed. I will take a look. I also want to see how all of this works>> in the context of stackable filesystems. As that is the one case that>> looked like it could be a problem case in your current patchset.>>> Apropos stackable filesystems [cc some overlayfs folks], is there any> way that parts of this work could be generalized towards ns aware> trusted@uid.* xattr?
I am at least removing all string comparison with xattr names from the
core code and move the enabled xattr names into a list. For the
security.* extended attribute names we would enumerated the enabled ones
in that list, only security.capability for now. I am not sure how the
trusted.* space works.
Stefan
>> With overlayfs, files are written to underlying fs with mounter's> credentials. How this affects v3 security capabilities and how exactly> security xattrs are handled in overtlayfs I'm not sure. Vivek?>> But, if we had an infrastructure to store trusted@<rootid> xattr, then> unprivileged overlayfs mount would become a very reachable goal.> Much closer goal then loop mounting...>> Amir.>

On 06/20/2017 08:19 AM, Stefan Berger wrote:
> On 06/20/2017 01:42 AM, Amir Goldstein wrote:>> On Tue, Jun 20, 2017 at 12:34 AM, Eric W. Biederman>> <ebiederm@xmission.com> wrote:>>> "Serge E. Hallyn" <serge@hallyn.com> writes:>>>>>>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>>>> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:>>>>>> On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:>>>>>>> On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:>>>>>>>> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):>>>>>>>>> If all extended>>>>>>>>> attributes were to support this model, maybe the 'uid' could be>>>>>>>>> associated with the 'name' of the xattr rather than its >>>>>>>>> 'value' (not>>>>>>>>> sure whether that's possible).>>>>>>>> Right, I missed that in your original email when I saw it this >>>>>>>> morning.>>>>>>>> It's not what my patch does, but it's an interesting idea. Do >>>>>>>> you have>>>>>>>> a patch to that effect? We might even be able to generalize >>>>>>>> that to>>>>>>> No, I don't have a patch. It may not be possible to implement it.>>>>>>> The xattr_handler's take the name of the xattr as input to get().>>>>>> That may be ok though. Assume the host created a container with>>>>>> 100000 as the uid for root, which created a container with 130000 as>>>>>> uid for root. If root in the nested container tries to read the>>>>>> xattr, the kernel can check for security.foo[130000] first, then>>>>>> security.foo[100000], then security.foo. Or, it can do a listxattr>>>>>> and look for those. Am I overlooking one?>>>>>>>>>>>>> So one could try to encode the mapped uid in the name. However, >>>>>>> that>>>>>> I thought that's exactly what you were suggesting in your original>>>>>> email? "security.capability[uid=2000]">>>>>>>>>>>>> could lead to problems with stale xattrs in a shared filesystem >>>>>>> over>>>>>>> time unless one could limit the number of xattrs with the same>>>>>>> prefix, e.g., security.capability*. So I doubt that it would work.>>>>>> Hm. Yeah. But really how many setups are there like that? I.e. if>>>>>> you launch a regular docker or lxd container, the image doesn't do a>>>>>> bind mount of a shared image, it layers something above it or does a>>>>>> copy. What setups do you know of where multiple containers in >>>>>> different>>>>>> user namespaces mount the same filesystem shared and writeable?>>>>> I think I have something now that accomodates userns access to>>>>> security.capability:>>>>>>>>>> https://github.com/stefanberger/linux/commits/xattr_for_userns>>>> Thanks!>>>>>>>>> Encoding of uid is in the attribute name now as follows:>>>>> security.foo@uid=<uid>>>>>>>>>>> 1) The 'plain' security.capability is only r/w accessible from the>>>>> host (init_user_ns).>>>>> 2) When userns reads/writes 'security.capability' it will read/write>>>>> security.capability@uid=<uid> instead, with uid being the uid of>>>>> root , e.g. 1000.>>>>> 3) When listing xattrs for userns the host's security.capability is>>>>> filtered out to avoid read failures iof 'security.capability' if>>>>> security.capability@uid=<uid> is read but not there. (see 1) and 2))>>>>> 4) security.capability* may all be read from anywhere>>>>> 5) security.capability@uid=<uid> may be read or written directly>>>>> from a userns if <uid> matches the uid of root (current_uid())>>>> This looks very close to what we want. One exception - we do want>>>> to support root in a user namespace being able to write>>>> security.capability@uid=<x> where <x> is a valid uid mapped in its>>>> namespace. In that case the name should be rewritten to be>>>> security.capability@uid=<y> where y is the unmapped kuid.val.>>>>>>>> Eric,>>>>>>>> so far my patch hasn't yet hit Linus' tree. Given that, would you>>>> mind taking a look and seeing what you think of this approach? If>>>> we may decide to go this route, we probably should stop my patch>>>> from hitting Linus' tree before we have to continue supporting it.>>> Agreed. I will take a look. I also want to see how all of this works>>> in the context of stackable filesystems. As that is the one case that>>> looked like it could be a problem case in your current patchset.>>>>> Apropos stackable filesystems [cc some overlayfs folks], is there any>> way that parts of this work could be generalized towards ns aware>> trusted@uid.* xattr?>> I am at least removing all string comparison with xattr names from the > core code and move the enabled xattr names into a list. For the > security.* extended attribute names we would enumerated the enabled > ones in that list, only security.capability for now. I am not sure how > the trusted.* space works.
I extended 'the infrastructure' now to support prefix matching for
trusted.* and probably others as well. It's fairly easy to do that but
would not write the code like that for exact string matching to support
security.capability. The patch lets me write trusted.foo@uid=100 from
within the userns if uid=100 exists, rejects it otherwise. It may be
written out as trusted.foo@uid=1100 for root mapping to uid 1000. I can
list this entry on the host. For some reason trusted.* is not listed at
all inside the userns. So something else needs to be enabled as well.
For now it looks like this:
https://github.com/stefanberger/linux/commit/8ae131e731c9e1def92a2100697632ea35e007d0
Regards,
Stefan

On Tue, Jun 20, 2017 at 8:33 PM, Stefan Berger
<stefanb@linux.vnet.ibm.com> wrote:
> On 06/20/2017 08:19 AM, Stefan Berger wrote:>>>> On 06/20/2017 01:42 AM, Amir Goldstein wrote:
>>>>>>> Apropos stackable filesystems [cc some overlayfs folks], is there any>>> way that parts of this work could be generalized towards ns aware>>> trusted@uid.* xattr?>>>>>> I am at least removing all string comparison with xattr names from the>> core code and move the enabled xattr names into a list. For the security.*>> extended attribute names we would enumerated the enabled ones in that list,>> only security.capability for now. I am not sure how the trusted.* space>> works.>>> I extended 'the infrastructure' now to support prefix matching for trusted.*> and probably others as well. It's fairly easy to do that but would not write> the code like that for exact string matching to support security.capability.> The patch lets me write trusted.foo@uid=100 from within the userns if> uid=100 exists, rejects it otherwise. It may be written out as> trusted.foo@uid=1100 for root mapping to uid 1000. I can list this entry on> the host. For some reason trusted.* is not listed at all inside the userns.> So something else needs to be enabled as well. For now it looks like this:>>> https://github.com/stefanberger/linux/commit/8ae131e731c9e1def92a2100697632ea35e007d0>
That looks useful!
I hope someone who knows his way around trusted xattr can say what's missing.
Thanks,
Amir.

On Tue, Jun 20, 2017 at 08:42:45AM +0300, Amir Goldstein wrote:
> On Tue, Jun 20, 2017 at 12:34 AM, Eric W. Biederman> <ebiederm@xmission.com> wrote:> > "Serge E. Hallyn" <serge@hallyn.com> writes:> >> >> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):> >>> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:> >>> >On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:> >>> >>On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:> >>> >>>Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):> >>> >>>> If all extended> >>> >>>>attributes were to support this model, maybe the 'uid' could be> >>> >>>>associated with the 'name' of the xattr rather than its 'value' (not> >>> >>>>sure whether that's possible).> >>> >>>Right, I missed that in your original email when I saw it this morning.> >>> >>>It's not what my patch does, but it's an interesting idea. Do you have> >>> >>>a patch to that effect? We might even be able to generalize that to> >>> >>No, I don't have a patch. It may not be possible to implement it.> >>> >>The xattr_handler's take the name of the xattr as input to get().> >>> >That may be ok though. Assume the host created a container with> >>> >100000 as the uid for root, which created a container with 130000 as> >>> >uid for root. If root in the nested container tries to read the> >>> >xattr, the kernel can check for security.foo[130000] first, then> >>> >security.foo[100000], then security.foo. Or, it can do a listxattr> >>> >and look for those. Am I overlooking one?> >>> >> >>> >>So one could try to encode the mapped uid in the name. However, that> >>> >I thought that's exactly what you were suggesting in your original> >>> >email? "security.capability[uid=2000]"> >>> >> >>> >>could lead to problems with stale xattrs in a shared filesystem over> >>> >>time unless one could limit the number of xattrs with the same> >>> >>prefix, e.g., security.capability*. So I doubt that it would work.> >>> >Hm. Yeah. But really how many setups are there like that? I.e. if> >>> >you launch a regular docker or lxd container, the image doesn't do a> >>> >bind mount of a shared image, it layers something above it or does a> >>> >copy. What setups do you know of where multiple containers in different> >>> >user namespaces mount the same filesystem shared and writeable?> >>>> >>> I think I have something now that accomodates userns access to> >>> security.capability:> >>>> >>> https://github.com/stefanberger/linux/commits/xattr_for_userns> >>> >> Thanks!> >>> >>> Encoding of uid is in the attribute name now as follows:> >>> security.foo@uid=<uid>> >>>> >>> 1) The 'plain' security.capability is only r/w accessible from the> >>> host (init_user_ns).> >>> 2) When userns reads/writes 'security.capability' it will read/write> >>> security.capability@uid=<uid> instead, with uid being the uid of> >>> root , e.g. 1000.> >>> 3) When listing xattrs for userns the host's security.capability is> >>> filtered out to avoid read failures iof 'security.capability' if> >>> security.capability@uid=<uid> is read but not there. (see 1) and 2))> >>> 4) security.capability* may all be read from anywhere> >>> 5) security.capability@uid=<uid> may be read or written directly> >>> from a userns if <uid> matches the uid of root (current_uid())> >>> >> This looks very close to what we want. One exception - we do want> >> to support root in a user namespace being able to write> >> security.capability@uid=<x> where <x> is a valid uid mapped in its> >> namespace. In that case the name should be rewritten to be> >> security.capability@uid=<y> where y is the unmapped kuid.val.> >>> >> Eric,> >>> >> so far my patch hasn't yet hit Linus' tree. Given that, would you> >> mind taking a look and seeing what you think of this approach? If> >> we may decide to go this route, we probably should stop my patch> >> from hitting Linus' tree before we have to continue supporting it.> >> > Agreed. I will take a look. I also want to see how all of this works> > in the context of stackable filesystems. As that is the one case that> > looked like it could be a problem case in your current patchset.> >> > Apropos stackable filesystems [cc some overlayfs folks], is there any> way that parts of this work could be generalized towards ns aware> trusted@uid.* xattr?> > With overlayfs, files are written to underlying fs with mounter's> credentials.
We do switch to mounter's credential for privileged operations but
for a newly created file final selinux label is created as if task
created that file.
>How this affects v3 security capabilities and how exactly> security xattrs are handled in overtlayfs I'm not sure. Vivek?
Given we switch to mounter's creds for operations on underlying
filesystem (setxattr, getxattr), I thought that it probably
will call xattr_userns_name() in nested manner. Once using tasks's
creds and second time using mounter's creds. So that probably
should have made it security.foo@uid@uid. I tried patches quickly
but setcap/getcap inside containers work. So may be it is
due to the fact that mounting was done from init_user_ns and
following line of code will avoid adding @uid in that case.
+ /* no name changes for init_user_ns or uid == 0 */
+ if (current_user_ns() == &init_user_ns || uid.val == 0)
+ goto out_copy;
+
I have not looked deeper. Still curious how getxattr() path works
when we switch to mounter's creds. In that case underlying file
system will get the impression that mounter task is trying to
do getxattr() in security.capability set by container task. I
am assuming we allow that?
I need to spend more time understanding this.
Vivek